Filescan module reports files that don't exist

[furrnace]

on one machine the Filescan module reported 3 files that do not exist when I look for them as root:

/usr/bin/tor, YARA rule SUSP_ELF_Tor_Client / Detects VPNFilter malware

/opt/base/sbin/cinit, YARA rule SUSP_ELF_LNX_UPX_Compressed_File / Detects a suspicious ELF binary with UPX compression
there is no directory /opt/base !

/opt/base/sbin/nginx, YARA rule SUSP_ELF_LNX_UPX_Compressed_File / Detects a suspicious ELF binary with UPX compression
there is /usr/sbin/nginx but it is not compressed with UPX

What could be the reason for such a result? Is this a bug?

[secDre4mer]

Hi @furrnace , yes, if those files don't actually exist, that's certainly a bug.

Looking at the code, I found a possible root cause. Could you show the full log lines for one of those files, or tell me if they contain an ARCHIVE_FILE key?